You don’t need to be a cybersecurity expert to see it: in today’s digitally dependent world, cyber attacks pose real threats for critical infrastructure and the functioning of societies. The ICRC is particularly concerned about the vulnerability of hospitals to cyber attacks – a risk that is acute at all times but even more dangerous in times of conflict or pandemics, such as the current COVID-19 crisis. The UN Secretary General has voiced his concern that if a major conflict were to break out today ‘it would start with a massive, massive cyber attack, not only on military installations, but some civilian infrastructure’.
Recent months have seen an unprecedented peak in intergovernmental discussions on existing and potential threats in cyberspace, the applicability of international law in that sphere, and how norms can help avert the significant threats posed by malicious cyber activities. All UN Member States are participating in the Open-Ended Working Group, experts from 25 States are convening in the Group of Governmental Experts, and tech companies and civil society have joined the debates on some occasions.
As the organization mandated by States to work towards an understanding of international humanitarian law, its faithful application during armed conflicts, and to prepare any developments of this body of law, the ICRC has participated in several of these discussions and shared its positions with all States. As cyber operations are today conducted during armed conflicts, the ICRC is concerned about their potential harm to humans. In this rapidly evolving field of new technology, the ICRC calls on States to deploy cyber operations only within the confines of existing international law, in particular international humanitarian law, and uses the opportunity to address seven key law and policy questions on cyber operations during armed conflict.
1. Cyber conflict – a concern only for technologically advanced States?
Because of the interconnected nature of cyberspace, the effective regulation of cyber operations during armed conflict concerns all States, whatever their level of technological development and whether or not they are developing military cyber capabilities. In cyberspace, attacks carried out against one State can affect many others – wherever they are located and irrespective of whether they are involved in the conflict. We saw this when in recent years malware spread quickly and left hardly any country unaffected.
Under international humanitarian law, attacks that employ means or methods of warfare which cannot be directed against a specific military objective, or the effects of which cannot be limited in a lawful manner, are prohibited (see Article 51(4) of Additional Protocol I; rule 11 of ICRC Customary IHL Study). In the cyber context, this means that cyber tools that spread and cause damage indiscriminately are unlawful. Thus, it should be a primary concern for all States to ensure that the international community affirms the applicability of international humanitarian law in cyberspace and that all States respect its rules during armed conflict.
2. Does international humanitarian law legitimize the militarization of cyberspace or cyber warfare?
No. Affirming the applicability of international humanitarian law does not legitimize cyber warfare, just as it does not legitimize any other form of warfare. Restricting cyber operations during armed conflict does not legitimize the use of hostile cyber operations or necessarily render their use lawful.
In our more than 150-years-long experience of participating in intergovernmental discussions about war, we have repeatedly heard the fear about a possible legitimization of warfare. In 1977, however, States dismissed the fear that international humanitarian law legitimizes warfare in unequivocal terms: the preamble to First Additional Protocol to the 1949 Geneva Conventions states that international humanitarian law must not ‘be construed as legitimizing or authorizing any act of aggression or any other use of force inconsistent with the Charter of the United Nations’.
In fact, affirming the limits that international humanitarian law imposes on cyber operations during armed conflicts is more important today than ever before. Cyber operations have become a reality of armed conflict, with many States developing offensive cyber capabilities. States have a responsibility to ensure that these new means and methods of warfare are not unrestricted. Even in times of peace, certain rules of international humanitarian law limit the types of weapons, means and methods that may be developed (see Article 36 of AP I). During armed conflict, respect for international humanitarian law protects civilians against the worst forms of violence.
3. When does international humanitarian law apply?
International humanitarian law applies to cyber operations during armed conflicts – and only during armed conflict. When we speak to militaries around the world, hardly anyone disputes that if militaries decide to conduct cyber operations during an ongoing armed conflict, international humanitarian law applies to these cyber operations. The opposite position would lead to the absurd conclusion that a party to the conflict is prohibited from attacking a hospital with a missile, but it could still lawfully destroy computers, machines, and networks in the same hospital through cyber operations.
A recurring question is whether a cyber operation can itself trigger the application of international humanitarian law, which applies if tensions between States – or a situation of violence between a State and a non-State armed group – escalate into an armed conflict (see ICRC 2016 Commentary on the 1949 First Geneva Convention, paras 253-256 and 436-437). With regard to international armed conflicts, it is today agreed that ‘an armed conflict exists whenever there is a resort to armed force between States’ (ICTY, Tadić Jurisdictional Appeal, para. 70). But when is this point reached in situations involving cyber operations?
It is generally accepted that cyber operations having similar effects to classic kinetic operations – such as the destruction of civilian or military assets or cause the death or injury of soldiers or civilians – is governed by international humanitarian law applicable in international armed conflict (Tallinn Manual 2.0, rule 82, paragraph 16).
It is less clear whether cyber operations that do not physically destroy or damage military or civilian infrastructure could be considered a resort to armed force governed by international humanitarian law in the absence of kinetic hostilities. It remains to be seen if and under what conditions States will treat such cyber operations as armed force amounting to armed conflict under international humanitarian law.
4. What is the relationship between international humanitarian law and the UN Charter?
International humanitarian law and the Charter of the United Nations are distinct but complementary. While the preamble of the Charter states that its aim is to ‘save succeeding generations from the scourge of war’, the objective of international humanitarian law is ‘protecting the victims of armed conflict’ (preamble, Additional Protocol I). Concretely, the UN Charter prohibits the use of force other than in self-defence or when authorized by the Security Council. It requires that international disputes be settled by peaceful means. The applicability of international humanitarian law does not replace or set aside the Charter. If, however, an armed conflict breaks out, international humanitarian law sets out essential protections for those who do not (civilians) or no longer (for example, wounded soldiers or detainees) participate in hostilities.
As both international humanitarian law and the UN Charter are concerned with armed conflicts, some of the terminology they use is almost identical and at times confusing.
For instance, under Article 51 of the UN Charter, the right to self-defence exists against an ‘armed attack’. According to the International Court of Justice, only the ‘most grave forms of the use of force’ constitute such armed attacks. It is important to underline that the notion of ‘armed attack’ under the UN Charter is different from a ‘resort to armed force’ that could trigger an armed conflict under international humanitarian law (see above) or the notion of ‘attack’ under international humanitarian law. To qualify a cyber operation as a resort to armed force that triggers the application of or qualified as an attack under international humanitarian law does not necessarily mean that it is an ‘armed attack’ under the UN Charter.
5. May cyber operations be less harmful than kinetic ones?
For the military, the use of cyber operations may offer alternatives that other means or methods of warfare do not, but it also carries risks.
Cyber operations have the potential to enable parties to armed conflicts to achieve their military aims without harming civilians or causing physical damage to civilian infrastructure. Militaries sometimes emphasize that through cyber technology, they may cause less damage than through kinetic attacks. This also means that, after a conflict, it may be easier and less costly to restore infrastructure.
At the same time, the use of cyber operations during armed conflict also carries risks. Recent cyber operations – which have been mostly conducted outside the context of armed conflict – show that sophisticated actors have developed the capability to disrupt the provision of essential services to the civilian population. Today, much is unknown with respect to the most sophisticated cyber capabilities, how technology may evolve, and the extent to which the use of cyber operations during future armed conflicts might be different from the trends observed so far.
6. Is existing international humanitarian law adequate to apply in cyberspace?
Yes – but further discussions among States are needed to clarify various points, including key international humanitarian law notions.
On the one hand, one of the great strengths of international humanitarian law is that States have formulated rules in such ways that they apply ‘to all forms of warfare and to all kinds of weapons’, including ‘those of the future’ (ICJ, Nuclear Weapons advisory opinion, para. 86). Indeed, the basic rules are straightforward: targeting civilians and civilian objects is forbidden; indiscriminate weapons and attacks must not be used; disproportionate attacks are prohibited; medical services must be respected and protected (see here, pp. 5-6). These and many other rules apply in cyberspace and must be respected.
On the other hand, the ICRC recognizes that there are questions on which States and other experts do not agree. These include, for instance, whether civilian data enjoys the same protection as civilian objects, or whether cyber operations that disrupt systems without causing physical damage amount to an ‘attack’ as defined in international humanitarian law (see here, pp. 7-8). But we should not forget that disagreements on certain issues among States and legal experts have always existed. And still, disagreement on the interpretation of various rules or notions cannot put into question the applicability of the law as such.
7. Is existing law sufficient or is a new cyber convention needed?
In multilateral debates on the application of international law in cyberspace, the question of whether a new convention is needed for cyberspace is not primarily about the use of cyber operations during armed conflicts: it concerns a much larger spectrum of international law issues that go well beyond international humanitarian law.
States hold different views on this question.
With regard to international humanitarian law specifically, the object and purpose of this body of law is to restrict the use of means and methods of warfare to protect civilians and civilian objects against the effects of hostilities. The ICRC calls upon States to take clear positions on how international humanitarian law applies in cyberspace, including on how it protects civilian infrastructure from being disabled through cyber means and how it protects civilian data. Such positions will determine the extent of the protection that international humanitarian law affords to civilians and civilian infrastructure, and accordingly influence the assessment of whether the existing rules are adequate and sufficient or whether new rules may be needed to regulate cyber operations during armed conflict.
If States see a need to develop new rules, these rules must build on and strengthen the existing legal framework. In the meantime, cyber operations during armed conflicts do not occur in a legal void but must comply with existing international humanitarian law rules.
- Sergio Caltagirone, Industrial cyber attacks: a humanitarian crisis in the making, December 3, 2019
- Laurent Gisel and Tilman Rodenhauser, Cyber operations and international humanitarian law: five key points, November 28, 2019
- Humanitarian Law & Policy Blog, Human Costs of Cyber – Blog Series, May-June 2019
- ICRC, International Humanitarian Law and Cyber Operations during Armed Conflict, 28 November 2019